Security Engineering Approach for the Development of
Secure Information Systems
Young-Gab Kim and Sungdeok Cha
College of Information and Communication, Korea University, 1, 5-ga, Anam-dong, Sungbuk-gu, 136-701, Seoul, Korea
{always, scha}@korea.ac.kr
Abstract. Even though software engineering have become a fundamental com-ponent to produce information systems and related software comcom-ponents, it is not adequate and effective for developing secure information systems. In this paper, we propose holistic, consistent, and integrated security engineering pro-cedures for analyzing, designing, developing, testing, and maintaining secure enterprise information systems. The proposed security engineering methodolo-gy combines security risk control, enterprise security architecture, and security management as an integrated framework.
Keywords: security engineering, enterprise security architecture, secure infor-mation system, security risk analysis, security management
1
Introduction
As Internet and information technologies have become an increasingly important part of enterprise information systems, the security management of enterprise information systems has become a critical issue. Even though the software engineering discipline provides principles, methodologies, and tools for the development of information systems, it is not adequate and effective for designing, developing, and maintaining secure software systems [1]. The main reason is that in the majority field of software engineering, security concerns are treated as elective topics or lumped together with quality attributes or ethics. That is, in many cases, security features are treated as of secondary importance, and this neglect results in the system engineer developing buggy code with weak security measures [2]. Furthermore, software engineering does not support a holistic and integrated approach to control security features. In addition, in order to develop secure enterprise information systems, the roles of the stakehold-ers are very important. However, most system enginestakehold-ers, especially software engi-neers, have no security-relevant knowledge about such issues as security risk analysis, and security mechanisms and services [3]. Similarly, most security engineers do not have the systems-engineering background required to approach a security problem holistically [4].
Security engineering is a field of engineering that deal with building secure sys-tems that will remain dependable in the face of malice, error, or mischance. It focuses
on the tools, processes, and methods needed to design, implement, and test complete systems, and to adapt existing systems as their environment evolves [5]. However, security engineering, in practice, does not merge smoothly with the other engineering disciplines (e.g., software engineering, system engineering) [6]. In order to meet the need for secure enterprise information systems, we need new approaches to security engineering. In this paper, we propose a holistic, consistent, and integrated security engineering approach for developing secure enterprise information systems.
The rest of the paper is organized as follows. Section 2 surveys existing approaches to security engineering. In Section 3, we describe the layered security engineering model and the activities of security engineering in the system development life cycle (SDLC). Finally, Section 4 concludes the paper.
2
Related Work
Some approaches to providing security engineering have been proposed. First, there are several international standards [7-9]: SSE-CMM (Systems Security Engineering – Capability Maturity Model) [7] is a process model that describes the essential systems security processes and management tasks that any organization must perform. It is focused on the requirements for implementing security in software systems or related systems components. ISO/IEC 15408 [8] is a common criterion (CC) for evaluating the security of information system or software. It defines two security requirements: security functional requirements (SFR) and security assurance requirements (SAR). Its purpose is to allow users to specify security requirements, developers to specify the security attributes of their products, and evaluators to determine whether products actually meet their claims. ISO/IEC 27002 [9] is an information security standard that provides a best practice guide to information security controls. It has established guidelines and general principles for initiating, implementing, and improving infor-mation security management with an organization. However, these standards are complex, and it is hard to understand and implement them. Furthermore, they do not explain how to implement each security control successfully.
Several other studies [10-13] have focused on security requirements engineering as an early activity of software development. Nunes et al. [10] proposed a security engi-neering approach, named PSSS (Process to Support Software Security), based on the activities derived from SSE-CMM, ISO/IEC 15408, ISO/IEC 27002, and OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) [11]. PSSS in-cludes security activities such as software-based vulnerability, threat, and impact and risk assessments, which also contribute to information security strategic goals. Horie et al. [12] proposed an information security engineering environment (ISEE) based on ISO/IEC information security standards. ISEE integrates various tools and functions for supporting continuous and consistent design, development, and management of the security facilities of information systems with high security requirements. Wang et al. [13] proposed a process of security requirements that consists of nine steps and deals with the security requirements in the early stages of system design. They used a systematic approach to integrate software engineering process into develop security
requirements. Mead et al. [14] developed the security quality requirements engineer-ing (SQUARE) methodology. SQUARE methodology provides a means for extract-ing, categorizextract-ing, and prioritizing security requirements for information systems and applications. It helps system engineers integrate security considerations into the early stages of the SDLC.
3
Proposed Approach
The main goal of the security engineering proposed in this paper is to provide proce-dures for analyzing, designing, developing, testing, and maintaining secure enterprise information systems. Fig.1 illustrates the basic concept of a layered security engineer-ing model, which is composed of three important components: security management, enterprise security architecture (ESA), and security mechanism and services.
Fig. 1. Layered Security Engineering Model
Security management describes the specific needs for managing security risk, in-cluding the security policy, as the logical model of organization’s business require-ments for security and risk. The results of a security risk assessment, the risk assess-ment report, are also used to manage security risk mitigations (e.g., security mecha-nism, security service, and potential safeguards).
ESA is a main component of security engineering for implementing secure enter-prise information systems. It provides the contextual, conceptual, logical, physical, component, and operational security of security-related policies, mechanisms, and procedures to give shape to a security management. The ESA proposed in this paper is expanded from the layered security architectures derived from SABSA (Sherwood Applied Business Security Architecture) [15] methodology.
Security Mechanisms & Services describes the detailed security technology for making concise enterprise security architecture to provide the confidentiality, integri-ty, and availability of an organization’s information. Generally, security services are
Security Management - security policy - risk assessment report
Enterprise Security Architecture - contextual security architecture - conceptual security architecture - logical security architecture - physical security architecture - component security architecture
Security Mechanisms & Services - confidentiality - integrity - availability - access control - authentication - non-repudiation - ….
Importance of
organizational aspects Granularity of
implemented as the objectives of security solutions. Therefore, the compatibility and interoperability of security solutions are not guaranteed. That is, they do not provide holistic and integrated strategies. This paper proposes a way to map these security services into an ESA.
The layered security engineering model can be mapped into the activities of securi-ty engineering in the SDLC as illustrated in Fig. 2.
Fig. 2. Activities of Security Engineering in System Development Life Cycle (SDLC) The proposed security engineering approach consists of several security-related ac-tivities that form a process to support the development of a more secure information system. The activity begins with security requirement analysis, which defines the required security properties, which the enterprise information systems should be satis-fied. These security requirements play a role in the design of an ESA. Simultaneously, as the earlier activities of risk assessment, threat analysis, asset analysis, and vulnera-bility analysis are conducted in the requirement analysis phase of SDLC.
In the design phase of SDLC, the output of three activities (i.e., threat, asset, and vulnerability) is used to estimate security risk, and then risk mitigations (e.g., security mechanism, security service, and potential safeguards) are selected and implemented. Security risk assessment in this phase can identify potential security vulnerabilities and their impact. Moreover, the ESA, which is composed of the six-layered security architecture, is implemented.As mentioned earlier, the ESA proposed in this paper is expanded from the SABSA, and it gives a six by six matrix of cells, which represents the whole model for the enterprise security architecture. Attributes in the matrix are presented by 5W1H (what, why, how, who, where, and when). To implement secure information systems, correct design (i.e., enterprise security architecture) is required. To find vulnerabilities in the ESA design, an ESA review activity is conducted.
Requirement
Analysis Design Coding Testing Deployment Maintenance
Security Requirement Analysis Threat Analysis Asset Analysis Risk Assessment Security Code Review Safeguards Testing Security Deployment Review Risk Assessment Report Review Vulnerability Analysis Risk Mitigation (Safeguards) Enterprise Security Architecture (ESA) Modeling
- Contextual SA - Conceptual SA - Logical SA - Physical SA - Component SA - Operational SA Safeguards Implementation (Security Mechanisms and Services) Security Testing ESA Review ESA Review
In the coding phase, the selected safeguards, including the security mechanisms and services in the previous phase, are implemented, and the code for security issues is thoroughly reviewed in terms of whether it contains security vulnerabilities.
In the testing phase, the implemented safeguards and the enterprise information system are tested by both white- and black-box testing in terms of whether there are bugs at the implementation phase, or whether the enterprise information system meets the security requirements based on the security risk analysis report. Security testing also contains tests of the security mechanism implemented in the previous phase.
The deployment phase constitutes the process that installs the system and makes it operational in the production environment. This phase can be one of the most critical in SDLC since the production environments and considerations for integration issues can sometimes be ignored. For example, sometimes the system runs differently in the production environment even though it has been validated and verified in the test phase. That is, when complex subsystems or large systems are integrated together, we need to ensure that the system is secure. To achieve this, a security deployment re-view based on the security requirements is conducted in the deployment phase.
The goal of security management is to identify, evaluate, and manage key security risks that impact an organization’s stability and thus its ability to achieve its tives and strategies. It is a continuous process of establishing risk management objec-tives, assessing risks within the context of established tolerances, developing strate-gies and implementing risk management processes, and monitoring and reporting upon those processes. In the maintenance phase, the risk assessment report, which is the summary and conclusions of the risk analysis, is utilized to manage the residential and potential security vulnerabilities in enterprise information systems. Furthermore, an ESA review activity is conducted.
4
Conclusion and Future Work
Nowadays, most of the research studies on the development of secure information systems are focused on isolated, inconsistent software engineering-related technolo-gies. The security engineering methodology proposed in this paper covers the entire enterprise security-related activities for developing secure enterprise information systems. It combines security risk control, security enterprise architecture, and securi-ty management as an integrated framework. Moreover, the securisecuri-ty mechanisms and services are designed, implemented, and supported as an essential part of the enter-prise information systems. In this paper, we outline our ongoing work on an approach for the security engineering-based development of secure enterprise information sys-tems. In future work, we aim to present the detailed tasks in each activity the of secu-rity engineering methodology.
Acknowledgements
This research was supported by the National IT Industry Promotion Agency (NIPA) under the program of Software Engineering Technologies Development.
Reference
1. Cheng, J.C., Goto, Y., Horie, D., Kasahara, T. and Iqbal A., “Development of ISEE: An Information Security Engineering Environment”, In Proc. of IEEE International Symposi-um on Parallel and Distributed Processing with Applications, pp.505-510, 2009
2. Mead, N.R. and Hough E.D., “Security Requirements Engineering for Software Systems: Case Studies in Support of Software Engineering Education”, In Proc. of the 19th
Confer-ence on Software Engineering Educations & Training (CSEET’06), 2006
3. Kim, Y.-G. and Cha, S., “Threat Scenario-based Security Risk Analysis using Use Case Modeling in Information Systems”, Security and Communication Networks, 5(3), pp.293-300, 2012
4. Stevens, J.L.B., “Systems Security Engineering”, IEEE Security & Privacy, pp.72-74, 2011
5. Anderson, R., “Security Engineering – A Guide to Building Dependable Distributed Sys-tems”, Second Edition, Wiley Publishing, Inc., 2008
6. Pavlovic, D., “The Unreasonable Ineffectiveness of Security Engineering: An Overview”, In Proc. of 2010 Software Engineering and Formal Methods, pp.12-18, 2010
7. International Organization for Standardization (ISO), “Information Technology-Systems Security Engineering-Capability maturity Model (SSE-CMM)”, ISO/IEC 21827:2008 8. International Organization for Standardization (ISO), “Information Technology-Security
Techniques-Evaluation Criteria for IT Security – Part 1: Introduction and General Model”, ISO/IEC 15408-1, 2008
9. International Organization for Standardization (ISO), “Information Technology, Security Technical – Code of Practice for Information Security Managements”, ISO/IEC 27002, 2005
10. Nunes, F.J.B., Belchior, A.D. and Albuquerque, A.B., “Security Engineering Approach to Support Software Security, In Proc. of 2010 IEEE 5th World Congress on Services,
pp.48-55, 2010
11. Alberts, C. and Dorofee, A., ”Managing Information Security Risks: The OCTAVE Ap-proach”, Addison-Wesley Professional, 2003
12. Horie, D., Goto, Y. and Cheng, J., “Development of ISEE: An Information Security Engi-neering Environment”, In Proc. Of 2009 Second International Symposium on Electronic Commerce and Security, pp.338-342, 2009
13. Wang, H., Jia, Z. and Shen, Z., “Research on Security Requirements Engineering Process”, In Proc. of 16th International Conference on Industrial Engineering and Engineering Man-agement (IE&EM’09), Jiaozuo, China, pp.1285-1288, 2009
14. Mead, N.R. and Stehney II, T.R., “Security Quality Requirements Engineering (SQUARE) Methodology”, In Proc. of Software Engineering for Secure Systems (SESS’05), St. Louis, MO, 2005
15. Sherwood, J., Clark, A. and Lynas, D., ”Enterprise Security Architecture-A Business-Driven Approach”, CMP Books, 2005
